Network attack origin forensics with fuzzy logic

Network forensics is scientifically proven techniques to collect, detect, identify, examine, correlate, analyze, and document digital evidence from multiple sources to identify suspicious entities and stepwise actions. The overwhelming amount and low quality of output from sensors make it difficult for analysts to find the origin of the attack in complex multi-stage intrusions. In this paper, we propose a new expert system, being able to automatically detect the origin of attack in single and multi-stage attacks, with no human involved in the investigations. The main nobility of our forensics system is the development of an expert system based on fuzzy logic, which uses multiple sources to detect the origin of attack and systems involved in it, and then automatically creates evidences. This system is able to indicate the time, origin and scenario of the attack. Experimental results show that our system can detect the origin of attack in single and multi-step attacks and provide useful and comprehensive information for future investigation.